CSA pushes software-defined perimeter network protection

For many years defense, intelligence and other government agencies have deployed secure networks that are invisible and inaccessible to outsiders. As a result, agencies are no strangers to “need-to-know” networks in which the posture and identity of devices are verified before access to the application is granted.

However, these invisible networks are often built on proprietary architectures that do not communicate with other networks, making them too expensive for many agencies to deploy.

An initiative by the Cloud Security Alliance in December 2013 aims to make these “invisible networks” accessible to a wider range of government agencies and corporations. The Software Defined Perimeter (SDP) initiative will foster development of an architecture for securing the Internet of Things by using the cloud to create highly secure end-to-end networks between any IP-addressable entities, according to officials with CSA, a nonprofit organization that promotes security best practices in cloud computing.

The framework’s goal is to mitigate attacks on Internet-accessible applications by eliminating connectivity to them until devices and users are authenticated. The plan incorporates security concepts and standards from both the National Institute of Standards and Technology and the Defense Department.

The CSA launched the initiative with its Software Defined Perimeter Report, which explains the SDP security framework and how it can be deployed to protect application infrastructures. CSA intends to create a public standard that is available for use without license fees or restrictions.

SDP uses a classified network model to protect applications because the traditional network perimeter has rapidly become obsolete with of the growth of devices moving inside networks and with the migration of applications beyond the network perimeter to the cloud. Typically in classified or highly secure networks, every server is hidden behind a remote access gateway to which a user must authenticate before seeing and accessing authorized services.

“SDPs maintain the benefits of the need-to-know model but eliminate the disadvantages of requiring a remote access gateway appliance,” according to the CSA report. Instead, “SDPs require endpoints to authenticate and be authorized first before obtaining network access to protected servers, and then, encrypted connections are created in real time between requesting systems and application infrastructure,” the report states. Requesting systems can be mobile devices such as smartphones, computers or even sensors.

SDP is based on a proven architecture built by proprietary security providers, according to Junaid Islam, founder and CTO of cloud security company Vidder Technologies, and an author of the SDP report. It incorporates standard security tools such as public key infrastructure, trusted layered security, IPsec, and Security Assertion Markup Language (SAML) as well as concepts such as federation and geolocation to enable connectivity from any device to any infrastructure. SDP perimeters can be deployed anywhere – on the Internet, in the cloud, at a hosting center, on the private corporate network or across some or all of these locations.

The CSA Working Group is writing the first draft of the SDP standard that goes into more details about specifications and protocols than the white paper released last month. This will allow developers to write code based upon the standard. After the draft is released, CSA will release open-source code to the public to help foster innovation and cooperation between the cloud vendors, Islam said.

The SDP concept will be publicly tested next month during a hackathon at the RSA security conference in San Francisco. “We will take the security model and have a contest to see if anyone can break it,” said Islam. The results will be made public.

“Need-to-know networks are not new in the government space,” Islam said. “We are taking a lot of concepts that are quite old — such as identify the user and afterwards let him onto the network he is allowed to be on and nothing else. That’s been around for 20 years. But it’s never been standardized.”

Standardization will reduce the price for government buyers by bringing more suppliers into an ecosystem where diverse security technologies work together to protect applications from network-based attacks, Islam said.

Sixty companies have joined the CSA Software Defined Perimeter Working Group since the project was launched in December. The initiative is being led by Bob Flores, former CTO of the CIA and now CEO of Applicology Inc. Flores, also an author of the report, brings over 30 years of experience working with classified networks to the SDP initiative. Alan Boehme, chief of enterprise architecture and emerging technologies with the Coca-Cola Company, and Jeff Schweitzer, chief innovation architect with Verizon, also contributed to the report.